1. Technical Field
The present invention relates generally to the analysis of malicious code and, more particularly, to technology for executing analysis target code suspected to be malicious code in a multi-core environment, thus detecting and analyzing the behavior of malicious code.
2. Description of the Related Art
When malicious code is analyzed, technology for detecting whether malicious behavior is included in suspicious files while directly executing the suspicious files on an emulator or a virtual machine, other than a client system, is chiefly used.
Technology for analyzing malicious code in a virtual environment is advantageous in that malicious behavior for each file is detected and executed on a separate virtual machine independent of a user system, and thus it is easy to separate such technology from a user environment.
Further, even if executed malicious code negatively influences the system, the system is initialized again, and thus it is possible to execute and determine each analysis target file in a new virtual environment within a short time period. Further, compared to a method for constructing an actual system, executing analysis target code, and determining whether malicious behavior has occurred, the time required for the restoration or the like of a system is greatly reduced, thus enabling malicious behavior to be easily detected in a large number of analysis target files.
However, pieces of malicious code for avoiding an analysis method using a virtual environment have recently appeared. That is, malicious code recognizes that a current environment is a virtual environment, and performs an operation different from that of a real environment in the virtual environment, thus making it difficult to analyze and detect malicious code.
The virtual environments of a Personal Computer (PC) chiefly, used in a malicious code analysis system, include VMWare, Virtual-PC, Quick Emulator (QEMU)/Kernel Virtual Machine (KVM), etc., and the virtual environments of the Android Operating System (OS) include TaintDroid for analyzing malicious code, etc. Further, malicious code recognizes that a current environment is a virtual environment using various recognition methods for respective virtual environments.
In order to analyze malicious code that avoids a virtual environment in this way, malicious code must be executed in a real environment, such as a real hardware-based environment and a bare-metal system, and the behavior of target malicious code must be observed, extracted, and analyzed from the outside of the malicious code execution environment.
However, conventional technology is configured such that, after malicious code is executed, the changed state of a hard disk in a target system is extracted and then the behavior of the malicious code is determined. Since such a hard disk forensic method extracts only the results of malicious code exerted on a target system, it is impossible to extract information about detailed behavior occurring during the execution of the malicious code, thereby making it difficult to exactly analyze such behavior.
Also, there have appeared the methods of extracting and storing network packets that are transmitted to and received from the outside of an analysis target system to observe network behavior and analyzing the address of an external network which is accessed by malicious code, data about the network, etc. using the stored network packets. However, there is a disadvantage in that, when network communication is performed using data in which malicious code is encrypted, it is impossible to analyze the malicious code.
Therefore, malicious code analysis technology for enabling intermediate behavior on which malicious code is executed to be observed in real time while enabling external monitoring is required.
In connection with this, Korean Patent Application Publication No. 10-2007-0049511 (Date of publication: May 11, 2007) discloses a technology related to “Analysis System for Malicious Code and Method thereof.”